Use the release notes to learn about the latest features of IBM Hyper Protect Virtual Servers version 2.1.x.
The IBM Hyper Protect Virtual Servers version 2.1.x provides the following features:
Flexible deployments in Linux hypervisors: Secure Execution for Linux enables deployment of isolated workloads protected by Confidential Computing at scale, and enables client-defined middleware and hypervisor. With this, Hyper Protect Virtual Servers can be integrated into a virtualized Linux environment and no longer needs an isolated logical partition (LPAR) on the system. The protection boundary moves from the LPAR level, which includes the operating system and application, to complete isolation of the application from the operating system. Client code and data are exclusively controlled by their administrators, no exceptions.
Leverage common infrastructure for container registry, logging, and management:
- Support customer provided container registry in addition to any public registries like IBM Container Registry, DockerHub, or Linux Distribution provided Base Container registry.
- During deployment, a remote Log Analysis instance can be provided to get per-deployment relevant, workload-specific logging information reported with encrypted data-in-flight.
Multiparty contract and attestation of deployment: Apply Zero Trust principles from workload development through deployment. As multiple personas and legal entities collaborate, it is essential to separate duty and access. Hyper Protect Virtual Servers is based on a newly introduced encrypted contract concept. It enables each persona to provide its contribution and be ensured through encryption that none of the other personas can access this data or intellectual property. The deployment can be validated by an auditor persona through an attestation record, which is signed and encrypted to ensure only the auditor has this level of insight.
Integrated data-at-rest protection: Uses a Linux Unified Key Setup (LUKS) encryption passphrase only present within the Trusted Execution Environment and based on a key derivation during deployment, based on seeds provided by the workload and environment persona.
Container runtime and malware protection: Any Open Container Initiative (OCI) image gains the benefit of a Confidential Computing solution with an extra level of protection. Hyper Protect Virtual Servers 2.1 will only deploy container versions which are validated at deployment through explicit digest or are signed.
Access a Crypto Express adapter in Enterprise PKCS#11 (EP11) mode: The usage of a Hardware Security Module (HSM) to protect keys is common for many use cases. To enable such solutions, directly attach a Crypto Express adapter to a dedicated Secure Service Container LPAR and deploy the Crypto Express Network API for Secure Execution Enclaves that is provided as a component of Hyper Protect Virtual Servers. As the also provided Grep11 server is deployed in the Hyper Protect Container runtime EP11 operations are now performed in the HSM which communication is secured through an mTLS-protected network channel from the Trusted Execution Environment.